aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
15,041 Commits
7 Branches
161 Tags
173 MiB
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3b1558946d'
${ noResults }
Commit Graph

261 Commits (3b1558946dff9e0466910273c2588e3071d19cb5)

Author SHA1 Message Date
Victor Julien b130234b26 var-names: reimplement var name handling 
Implement a new design for handling var name id's. The old logic
was aware of detection engine versions and generally didn't work
well for multi-tenancy cases. Other than memory leaks and crashes,
logging of var names worked or failed based on which tenant was
loaded last.

This patch implements a new approach, where there is a global store
of vars and their id's for the lifetime of the program.

Overall Design:

Base Store: "base"

Used during keyword registration. Operates under lock. Base is shared
between all detect engines, detect engine versions and tenants.
Each variable name is ref counted.

During the freeing of a detect engine / tenant, unregistration decreases
the ref cnt.

Base has both a string to id and a id to string hash table. String to
id is used during parsing/registration. id to string during unregistration.

Active Store Pointer (atomic)

The "active" store atomic pointer points to the active lookup store. The call
to `VarNameStoreActivate` will build a new lookup store and hot swap
the pointer.

Ensuring memory safety. During the hot swap, the pointer is replaced, so
any new call to the lookup functions will automatically use the new store.
This leaves the case of any lookup happening concurrently with the pointer
swap. For this case we add the old store to a free list. It gets a timestamp
before which it cannot be freed.

Free List

The free list contains old stores that are waiting to get removed. They
contain a timestamp that is checked before they are freed.

Bug: #6044.
Bug: #6201.
 2 years ago
Victor Julien 575fbdfbf3 detect/pcre: use local match data during parsing 
Fixes multi-tenant multi-loader crashes.

Bug: #6247.
 2 years ago
Victor Julien f6f2c22574 detect/pcre: remove redundant applayer flag set 2 years ago
Victor Julien 549f7873df detect: spelling 2 years ago
Victor Julien 6b27087527 detect/pcre: remove obsolete tests 2 years ago
Victor Julien 501388c912 detect/pcre: use util funcs for buffer test 2 years ago
Victor Julien b31ffde6f4 output: remove error codes from output 3 years ago
Philippe Antoine 1f066cbbe8 unittest: fix unneeded includes as per cppclean 
Especially because there is conditional inclusion from a header
 3 years ago
Victor Julien e250ef6402 debug: remove empty header 3 years ago
Philippe Antoine 02f2602dde src: rework includes as per cppclean 3 years ago
Philippe Antoine 585e5e0d3c detect: impose limits on pcrexform 
As is done for pcre keyword

Ticket: #5409
 3 years ago
Philippe Antoine c5cf2967b3 detect: fix integer warnings 
Ticket: #4516
 3 years ago
Victor Julien 84448d3bae tests: remove unnecessary flow locks 
Added once to satisfy debug validation, but we don't mix unittests
and debug validation anymore.

    sed -i -E '/.*FLOWLOCK_.*LOCK/d' *.c
 3 years ago
Victor Julien 69b8b48b94 detect/pcre: assist code analyzer around pointer logic 
cppcheck:

src/detect-pcre.c:381:27: warning: Either the condition 'pcap' is redundant or there is overflow in pointer subtraction. [nullPointerArithmeticRedundantCheck]
            cut_capture = MIN((pcap - regexstr), (fcap - regexstr));
                          ^
src/detect-pcre.c:378:18: note: Assuming that condition 'pcap' is not redundant
        else if (pcap && !fcap)
                 ^
src/detect-pcre.c:381:27: note: Null pointer subtraction
            cut_capture = MIN((pcap - regexstr), (fcap - regexstr));
                          ^

Bug: #5291.
 3 years ago
Victor Julien 7e2ed11a11 detect: fix bad BUG_ON pattern 
cppcheck:

src/detect-engine-uint.c:73:13: warning: Conversion of string literal "unknown mode" to bool always evaluates to true. [incorrectStringBooleanError]
            BUG_ON("unknown mode");
            ^
src/detect-engine-uint.c:328:13: warning: Conversion of string literal "unknown mode" to bool always evaluates to true. [incorrectStringBooleanError]
            BUG_ON("unknown mode");
            ^
src/detect-pcre.c:291:25: warning: Conversion of string literal "Impossible captype" to bool always evaluates to true. [incorrectStringBooleanError]
                        BUG_ON("Impossible captype");
                        ^

Bug: #5291.
 3 years ago
Victor Julien a14854bce9 detect: keyword list to hash to improve perf 
Since the switch to pcre2 this was much more heavily used, which
would lead to measurable time spent in list handling.
 3 years ago
Modupe Falodun 54bc43d3ed detect-pcre: remove unittests 
These tests are reimplemented in Suricata-Verify

Task: 4911
 3 years ago
Victor Julien 707b75ccda detect: split register time and detect load time buffer funcs 4 years ago
Philippe Antoine 8a50edbd10 pcre: fixes a memory leak on alloc error 4 years ago
Philippe Antoine c64a1f6a09 pcre: use thread-storage for matches 4 years ago
Philippe Antoine 3b690e53c8 pcre: using de_ctx in unit tests for free function 4 years ago
Philippe Antoine a049a6c29c pcre: creates a match structure per match run 
So that DetectPcrePayloadMatch is thread safe
and does not rewrite a shared parse_regex.match structure
 4 years ago
Philippe Antoine bce3c46874 pcre2: remove PCRE1 as dependency 4 years ago
Philippe Antoine e10d930660 pcre2: only one DetectParseRegex structure 4 years ago
Philippe Antoine 3de99a214c pcre2: migrate keywords parsing 4 years ago
Philippe Antoine 2dea9a1e37 pcre: use pcre2 to parse detect pcre itself 4 years ago
Philippe Antoine f0f3295ba0 pcre: migrate detect-pcre to pcre2 
pcre2 substrings need special free...
 4 years ago
Jeff Lucovsky 1eeb96696b general: Cleanup bool usage 4 years ago
Philippe Antoine 707f027231 protos: renaming ALPROTO_HTTP* constants 
Having now ALPROTO_HTTP1, ALPROTO_HTTP2 and ALPROTO_HTTP

Run with 3 sed commands
git grep ALPROTO_HTTP | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP/ALPROTO_HTTP1/g'
git grep ALPROTO_HTTP12 | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP12/ALPROTO_HTTP2/g'
git grep ALPROTO_HTTP1_ANY | cut -d: -f1 | uniq |
 xargs sed -i -e 's/ALPROTO_HTTP1_ANY/ALPROTO_HTTP/g'

and then running clang-format
 5 years ago
Philippe Antoine c8dbe24fb6 proto: introduce signature protocol, as extension to flow protocol 
AppProtoEquals function allows to check if a flow protocol
matches a signature protocol
 5 years ago
Jeff Lucovsky cbb03dbb39 detect/pcre: Test capture group/var mismatch 5 years ago
Jeff Lucovsky 469d5bb214 detct/pcre: Correct capture group count check 
This commit corrects the validation check between the number of
variables used and the number of specified capture groups.
 5 years ago
Victor Julien 6ab323d323 detect: hide RegisterTests behind ifdef UNITTESTS 
Update all callers to more aggressively use UNITTESTS guards as well.
 5 years ago
Philippe Antoine ac76ff9e47 detect: fail properly on invalid transform pcrexform 5 years ago
Victor Julien f8f2a2bbc0 detect/pcre: set app proto correctly when using modifiers 5 years ago
Victor Julien 9fd56e8430 detect/pcre: minor code cleanups 5 years ago
Jeff Lucovsky 12148bc53c detect/pcre: Use the keyword context for JIT stack 
When PCRE `jit` is available, store the JIT stack in the keyword context
instead of on a global id. This ensures proper cleanup and
re-initialization over a rule reload.
 5 years ago
Victor Julien 26bcc97515 detect/keywords: dynamic version part of doc URL 5 years ago
Jeff Lucovsky d3a65fe156 detect: Provide `de_ctx` to free functions 
This commit makes sure that the `DetectEngineCtx *` is available
to each detector's "free" function.
 5 years ago
Jeff Lucovsky f0bd69e7e3 detect/pcre: Correct spelling typos 6 years ago
Jeff Lucovsky 7f6af10fed general: copyright bump 6 years ago
Jeff Lucovsky abe0cdc4ad detect/pcre: Changes to support pcre_jit_exec 
This command causes `pcre_jit_exec` to be used when available. If it's
available and there are allocation errors preparing for it, things
fallback to `pcre_exec`.
 6 years ago
Jeff Lucovsky e73aec150b pcre: Sticky buffer check 
This commit adds logic checking if the sticky buffer in effect provides
the required content.

If the sticky buffer doesn't, the rule will not load and a diagnostic
message with follow-on steps is displayed.
 6 years ago
Shivani Bhardwaj d801c3e588 detect: Make keyword description consistent 
Closes redmine ticket #3137.
 6 years ago
Shivani Bhardwaj b5b429c288 detect: Add missing keyword URLs and description 
Add missing keyword URLs and their description. Fix the ones that
were incorrect.

Partially closes redmine ticket #2974.
 6 years ago
Victor Julien 579cc9f02b const: constify decoder, app-layer, detect funcs 6 years ago
Shivani Bhardwaj 85b56b633e detect: Improve rule keyword alproto registration 
1. Set WARN_UNUSED macro on DetectSignatureSetAppProto.
2. Replace all direct 'sets' of Signature::alproto from keyword registration.

Closes redmine ticket #3006.
 6 years ago
Victor Julien 2bd23bc1d5 detect/pcre: fix false positive 
Fix case where a HTTP modifier in PCRE statements would lead to
the rule alerting when it should not.

Bug #2769
 7 years ago
Eric Leblond 8c1b16e22d doc: fix some links in list-keywords command 7 years ago
Victor Julien 313661451d content inspection: support transforms 
Make sure content is applied to the transformed version of a buffer.

Support content with its modifiers, and also isdataat, pcre, bytetest
and bytejump.
 8 years ago